Malware Analysis Report

2025-06-15 23:34

Sample ID 241031-sxa47sypfs
Target 837156a547f1242558499b26c097a3f1_JaffaCakes118
SHA256 64188bbd2a79256585af43041b21a55b41be3ccce48d3a0ae53a7e0b59c933b4
Tags
discovery bootkit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

64188bbd2a79256585af43041b21a55b41be3ccce48d3a0ae53a7e0b59c933b4

Threat Level: Likely malicious

The file 837156a547f1242558499b26c097a3f1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery bootkit persistence

Blocklisted process makes network request

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 15:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:55

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

141s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\注册答题系统.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4396 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 4488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4396 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\注册答题系统.bat"

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\Microrui.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\MicroSu.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\ESu.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\TeYou.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\hao.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:50

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastVerCode.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 2780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastVerCode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastVerCode.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 dama3.hyslt.com udp
US 104.221.147.218:80 dama3.hyslt.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:50

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UUWisehelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 3752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 3752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2784 wrote to memory of 3752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UUWisehelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UUWisehelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:52

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\haoapi.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 4616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3748 wrote to memory of 4616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3748 wrote to memory of 4616 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\haoapi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\haoapi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:54

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

142s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows2008 补丁.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2864 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows2008 补丁.bat"

C:\Windows\system32\regsvr32.exe

Regsvr32 msscript.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:52

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\注册答题系统.bat"

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2372 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\注册答题系统.bat"

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\Microrui.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\MicroSu.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\ESu.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\TeYou.dll

C:\Windows\system32\regsvr32.exe

regsvr32 C:\╬ó╚±╬ó╦┘┤≡╠Γ╫Θ╝■╟δ╬≡╔╛│²\hao.dll

Network

N/A

Files

memory/2168-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/268-1-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2204-2-0x00000000004B0000-0x00000000004B1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 16:00

Platform

win7-20241010-en

Max time kernel

73s

Max time network

29s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 488

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.qqchaoren.net udp
HK 160.124.97.65:80 ip.qqchaoren.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:55

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows2008 补丁.bat"

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2384 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2384 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2384 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2384 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\windows2008 补丁.bat"

C:\Windows\system32\regsvr32.exe

Regsvr32 msscript.ocx

Network

N/A

Files

memory/1840-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:47

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3456 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3456 wrote to memory of 1988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaAPI.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:47

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaClient.dll,#1

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 2204 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaClient.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaClient.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:50

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastVerCode.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 5108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 5108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 5108 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastVerCode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\FastVerCode.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 16:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe"

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe

"C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.yiyuekeji.com udp
CN 211.144.151.72:80 www.yiyuekeji.com tcp
US 8.8.8.8:53 www.beijing-time.org udp
CN 47.115.42.73:80 www.beijing-time.org tcp
CN 60.205.124.229:80 www.beijing-time.org tcp
US 8.8.8.8:53 www.time.ac.cn udp
CN 210.72.145.8:80 www.time.ac.cn tcp
CN 210.72.145.8:80 www.time.ac.cn tcp
US 132.163.4.102:13 tcp
US 132.163.4.101:13 tcp

Files

memory/2348-0-0x0000000000400000-0x000000000061A000-memory.dmp

memory/2348-1-0x0000000076650000-0x0000000076697000-memory.dmp

memory/2348-503-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-505-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-507-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-509-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-511-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-517-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-521-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-525-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-527-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-533-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-531-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-529-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-523-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-519-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-515-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-513-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-502-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-535-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-537-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-539-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-541-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-543-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-563-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-545-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-561-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-559-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-2238-0x00000000021B0000-0x0000000002331000-memory.dmp

memory/2348-557-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-555-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-553-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-551-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-549-0x0000000002460000-0x0000000002571000-memory.dmp

memory/2348-547-0x0000000002460000-0x0000000002571000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 16:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe

"C:\Users\Admin\AppData\Local\Temp\腾讯QQ资料查询管理.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.253.4.62.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/2436-0-0x0000000000400000-0x000000000061A000-memory.dmp

memory/2436-1-0x0000000075B70000-0x0000000075D85000-memory.dmp

memory/2436-3275-0x0000000000400000-0x000000000061A000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaClient.dll,#1

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 3780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 3780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1228 wrote to memory of 3780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaClient.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrackCaptchaClient.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3780 -ip 3780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 672

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 15:50

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UUWisehelper.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2672 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UUWisehelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\UUWisehelper.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 16:00

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 2020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 888

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip.qqchaoren.net udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
HK 160.124.97.65:80 ip.qqchaoren.net tcp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-31 15:29

Reported

2024-10-31 16:00

Platform

win7-20241010-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\haoapi.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\haoapi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\haoapi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.haoi23.net udp

Files

N/A